Rethinking PGP encryption
Filippo Valsorda wrote an article recently on ArsTechnica titled I’m Throwing in the Towel on PGP, and I Work in Security that really made me think. Filippo is the real deal when it comes to PGP; few have his bona fides in the security arena, and when he talks, people should listen.
The basic message of the article is the same one that we’ve been hearing for two decades: PGP is hard to use. I’ve been a proponent since 1994 or so, when I first downloaded PGP. I contributed to Phil Zimmerman’s defense fund (and have the T-shirt somewhere in my attic to prove it). As an educator I’ve discussed PGP and how it works with nearly every class I’ve taught in the past 20 years. I push it really hard.
And yet, like Filippo, I receive two, maybe three encrypted emails each year, often because I initiated the encrypted conversation. Clearly there’s an issue here.
Most stock email clients don’t support PGP. Mail on MacOS doesn’t. I’m pretty sure that Outlook doesn’t. I use Thunderbird because it does support PGP via a plugin. I really don’t get this…email should be encrypted by default in a simple, transparent way by every major email client. Key generation should be done behind the scenes so that the user doesn’t have to even think about it.
We might not ever get there.
And so, after 20 years of trying to convince everyone I meet that they should be using encryption, I, like Filippo, might be done.
However, there is a use case that I think works, and that I will use myself and educate others about. I’ve digitally signed every email that I send using PGP for several years, and I think that it might be the right way to think about how we use PGP. Here’s the approach, which is similar to what Filippo is thinking:
- I will continue to use PGP signatures on all of my email. This provides nonrepudiation to me. I will use my standard, well-known key pair to sign messages.
- When I need to move an email conversation into encryption, I’ll generate a new key pair just for that conversation. The key will be confirmed either via my well-known key pair or via a second channel (Signal IM or similar). The conversation-specific keys will be revoked once the conversation is done.
- I will start to include secure messaging ala Signal in my discussions of privacy
Nonrepudiation is really a benefit to me rather than anyone receiving my messages and I don’t see any reason not to use my published keys for this.
Secure apps like Signal I think are more natural than bolting PGP onto email and are easier for non-tenchical users to understand. Further, the lack of forward secrecy in PGP (and its inclusion in Signal) should make us think twice about encrypting conversations over and over with the same keys rather than using a new set of keys for each conversation.
I think this approach will do for the time being.
[Update: Neil Walfield posted his response to Filippo’s article; the comments are a good read on the problems we’re facing with PGP. ]